Chef Automate provides DevOps teams a dashboard for complete operational visibility across large-scale or mission-critical infrastructure. This comprehensive visibility allows developers, operators, and security engineers to collaborate on delivering application and infrastructure changes at the speed of business. Chef Automate provides real-time data across the estate with intelligent access controls, ensuring the right team has the right access.
In most large enterprises it is imperative to have Identity and Access Management, especially one that provides a combination of resource and role-based access management. An IAM solution is an effective way to improve security and access by limiting who has access and how much access they have to appropriate systems. The best way to deliver these increased Identity and Access Management practices is to set up a role-based access control (RBAC) strategy based upon how environments are set up. A clear distinction of access by roles or responsibilities is presented in the following example that distinguishes between Finance versus HR.
Today, Chef has made generally available (GA) a comprehensive Chef Automate Identity and Access Management capability which includes an enterprise-grade Role-Based Access Control framework to enable customers to more easily manage large scale implementations across teams, and Project-scoped Access Control capabilities allowing administrators to delegate system management responsibilities more easily.
Chef Automate’s Identity and Access Management (IAM) offering builds on existing LDAP and SAML integrations by introducing enhanced multi-statement policies and role-based access control with a set of built-in roles to simplify typical security configurations.
Several built-in IAM roles, or a named list of actions that can be performed in Chef Automate, are provided including: owner, editor, viewer, and ingest. For more detailed information on what type of permissions each role has see the IAM Overview documentation.
Role |
Description |
Owner |
Do everything in the system including IAM |
Editor |
Do everything in the system except IAM |
Viewer |
View everything in the system except IAM |
Ingest |
Ingest data into the system |
These IAM roles can be used in a policy statement to allow or deny access to the actions contained in an IAM role. You are now able to manage IAM policy membership through the user interface in addition to the REST API, giving you control over who has access to what actions. As before, IAM policy members can include LDAP/SAML users and groups plus local users, teams, and API tokens.
Custom IAM roles are also supported via the REST API and can include over 130 individual IAM actions that we upgraded to support fine-grained access control and delegation of specific responsibilities.
Chef Automate’s Identity and Access Management (IAM) now also offers IAM Projects, which work in conjunction with IAM roles providing complete role and project-scoped access control in Chef Automate. This introduces a new project admin role that allows for global administrators to delegate management responsibilities more easily.
Chef Automate’s IAM supports up to 300 projects that are used in IAM policies to reduce the scope of permissions to the resources defined in an IAM project. In this example illustrated below, if there are independent business units, such as Finance or HR, Finance users will only see and have access to data related to Finance and HR users will only have access to data related to HR.
Chef customers wishing to get Chef Automate Identity and Access Management will need to make sure to be on the latest version of Chef Automate v2 (build number: 20200127203438).
To get the GA version of IAM:
New Customer (Installing Automate for the first time)
Once the latest version of Automate is installed, IAM can be obtained by running a simple chef-automate iam upgrade-to-v2 from the CLI (Command Line Interface) to make sure the IAM GA functionality is active.
Existing Customers
For current Chef Automate Users, once the latest version of Automate is installed, IAM can be obtained by running a simple chef-automate iam upgrade-to-v2 command to upgrade to the latest version of IAM V2 GA.
For more information on the IAM upgrade path please visit the documentation page.
For more information about this Chef Automate IAM release, please be sure to check out the User’s Guide.
Your feedback is always welcome so in order to continue to improve our IAM offering we hope you provide feedback by entering your suggestions in Chef’s Idea Portal.